ZDNet Multiplexer

mul-ti-plexer-er. noun. A device, in electronics, that synthesizes disparate data signals into a single, uniform output. ZDNet Multiplexer merges various perspectives, media types, and data sources and synthesizes them into one clear message, via a sponsored blog.

ZDNet Multiplexer allows marketers to connect directly with the ZDNet community by enabling them to blog on the ZDNet publishing platform. Content on ZDNet Multiplexer blogs is produced in association with the sponsor and is not part of ZDNet's editorial content.

BROUGHT TO YOU BY

Three Ways to Thwart XRY's 2-Minute iPhone Passcode Hack

You may not be able to prevent your iPhone or Android smartphone from being hacked in 120 seconds or less, but your company can.

Smartphones are vaunted for their ease of use. But that's precisely why they can be so vulnerable to hacking software, as Micro Systemation's XRY showed last us last Wednesday.

The iPhone's default security passcode is a mere 4 digits. Four digits is incredibly weak - there are just 10,000 different combinations to try, which is nothing for a piece of software.

Back in the 1980s, teenage phone phreakers of um, my acquaintance, hacked MCI and Sprint access codes in order to make free long-distance calls. All you had to do was set your Apple II+ on auto-dial overnight and voila! you'd have several codes by the next morning.

So it's surprising how many companies who should know better don't require their users to use any passcode at all.

Jim Price is president of ICOMM Consulting Inc., which advises companies on mobile security (but does not resell any particular product). According to Price, about a third of ICOMM's corporate clients don't require PINs.

"My guess is that the XRY news will make our clients say, 'Oh boy, we don't just need to use PINs, but we need to use more sophisticated ones,'" said Price.

Bad User Experience = Good Security

There are three main approaches that experts like Price suggest could help prevent or slow down an XRY-style attack.

The tradeoff is the same. "The kludgier it is for the end user, the safer it usually is," Price said.

The most secure approach is to deny XRY a chance to steal the data. This would require keeping all corporate data, or at least the confidential data, on the server. Employees would only be able to remotely access the content via software such as Citrix Receiver.

Some law firms and other companies with "extreme" security needs are choosing this approach, said Price. But the downsides can be huge, depending on your point-of-view. You need to be connected, for one. And it can take a lot of time for those e-mails or files to be downloaded.

Another approach is to use an application-level container or "sandbox" to store confidential data. Examples would be Good Technology's secure e-mail app, or Mocana, said Scott Snyder, President and Chief Strategy Officer for Mobiquity Inc., a mobile professional services provider. (Full disclosure: these applications along with Citrix Receiver compete with the Afaria MDM software from my employer, SAP).

That app and its data is encrypted and can only be accessed by entering a strong PIN. While this does protect from the XRY hack, this, like the Citrix strategy, is inconvenient for users, who potentially have to re-type their PIN every few minutes when a new e-mail arrives.

The last approach is using Mobile Device Management (MDM) software.

MDM software can harden against XRY-style attacks while creating the least extra hassle for users.

First, "most of the MDM vendors (like Afaria, MobileIron, Airwatch) have jailbreak detection software for iOS" said Snyder. Once a jailbreak attempt is detected, the MDM software can force the phone to delete all of its data before it is compromised.

Second, MDM software can enforce longer, stronger passcodes than the 4-digit defaults. And it can also enforce a policy of automatically wiping or killing the device after too many attempts.

Third, even if data is physically extracted from the iPhone, it may still be encrypted by the MDM software, rendering it essentially unreadable.

"If something has 256-bit encryption, my belief is that there are only a handful of people in the world who can hack into that," Price said. "Even 128-bit encryption is still pretty darn secure."

For MDM software to be effective, however, IT administrators need to set aggressive 'data fading' policies that quickly kill the device upon tampering or after a period of non-communication. That's because a determined hacker will immediately put the phone into Airplane Mode, turning off all wireless communications. This prevents the iPhone from being physically tracked via its GPS chip, and the MDM software from communicating with the server.

As a result, Mobiquity's Snyder, argues that a "belt and suspenders" approach is best, one that combines MDM with app level containers like Mocana will "ensure that sensitive data is protected from spillover or attacks.”

But plenty of firms can get by with just MDM. Price's own firm, ICOMM, does.

"We ourselves rejected the sandbox approach," he said. "Because of what we do, we don't need to go that far. So we use 4-digit codes. We can wipe a phone if it's lost. We're not as aggressive as some of our clients."

**********

Despite the Twitterverse being distracted by a rather dubious holiday, some of you logged into #SAPChat on Friday at noon ET to read EMF's Philippe Winthrop and I jibber-jabber about tablets, XRY, MDM, BYOD and other enterprise mobile issues. Below are excerpts from our discussion. Next time, try to join the discussion live!

Q2: Mobile Device Management - Security

SocialKev I've heard that you can hack into an iPhone in 120 seconds or less. What does this mean for enterprise mobility?#SAPChat -12:01 PM Mar 30th, 2012

biz_mobility @ericylai would be interesting to see this be done with an iOS device that has been "protected" with a EMM solution #SAPChat -12:02 PM Mar 30th, 2012

ericylai @biz_mobility - Exactly, it's the constant balance between usability and kludginess. The more secure it is, the more hassle #sapchat -12:07 PM Mar 30th, 2012
biz_mobility the problem with sandboxing in general is that it becomes a religious debate #SAPChat -12:07 PM Mar 30th, 2012

biz_mobility @ericylai often times, the more secure it is, the harder it is to use #SAPChat -12:07 PM Mar 30th, 2012

bmkatz Guys it's not about necessarily sandboxing the app but more about protecting the data #sapchat -12:09 PM Mar 30th, 2012

bmkatz If you protect the data through encryption etc, breaking the phone doesn't get you into the data - just the phone#sapchat -12:09 PM Mar 30th, 2012

Thank You

By registering you become a member of the CBS Interactive family of sites and you have read and agree to the Terms of Use, Privacy Policy and Video Services Policy. You agree to receive updates, alerts and promotions from CBS and that CBS may share information about you with our marketing partners so that they may contact you by email or otherwise about their products or services.
You will also receive a complimentary subscription to the ZDNet's Tech Update Today and ZDNet Announcement newsletters. You may unsubscribe from these newsletters at any time.